more refactoring

3fb0e229 · Adam Lewenberg · 7c21e57d · 3fb0e229 · 3fb0e229 · 3fb0e229
Commit 3fb0e229 authored Oct 09, 2020 by Adam Lewenberg
--- a/files/etc/ssl/certs/addtrust-usertrust-2020.pem
+++ b/files/etc/ssl/certs/addtrust-usertrust-2020.pem
--- a/files/etc/ssl/certs/comodo-addtrust-2020-new.pem
+++ b/files/etc/ssl/certs/comodo-addtrust-2020-new.pem
--- a/files/etc/ssl/certs/comodo-addtrust-2020.pem
+++ b/files/etc/ssl/certs/comodo-addtrust-2020.pem
--- a/files/etc/ssl/certs/comodo-entrust-2015.pem
+++ b/files/etc/ssl/certs/comodo-entrust-2015.pem
--- a/files/etc/ssl/certs/comodo-entrust-2019.pem
+++ b/files/etc/ssl/certs/comodo-entrust-2019.pem
--- a/files/etc/ssl/certs/comodo-incommon-addtrust-bundle-2020.pem
+++ b/files/etc/ssl/certs/comodo-incommon-addtrust-bundle-2020.pem
--- a/files/etc/ssl/certs/incommon-addtrust-2020.pem
+++ b/files/etc/ssl/certs/incommon-addtrust-2020.pem
--- a/files/etc/ssl/certs/incommon-usertrust-addtrust-bundle-2020.pem
+++ b/files/etc/ssl/certs/incommon-usertrust-addtrust-bundle-2020.pem
--- a/files/etc/ssl/certs/incommon2024-usertrust2038-bundle.pem
+++ b/files/etc/ssl/certs/incommon2024-usertrust2038-bundle.pem
+-----BEGIN CERTIFICATE-----
+MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
+iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
+cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
+BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
+MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
+BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
+aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
+dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
+3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
+tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
+Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
+VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
+79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
+c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
+Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
+c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
+UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
+Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
+BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
+A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
+Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
+VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
+ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
+8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
+iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
+Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
+XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
+qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
+VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
+L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
+jjxDah2nGN59PRbxYvnKkKj9
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCBiDELMAkGA1UE
+BhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQK
+ExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNh
+dGlvbiBBdXRob3JpdHkwHhcNMTQxMDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQG
+EwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQy
+MREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBDQTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+exU5NEFj6MJsXKZDmMwys
+E1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7vHgV9lestjaKpTbOc5/MZNrun8XzmCB5h
+J0R6lvSoNNviQsil2zfVtefkQnI/tBPPiwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW
+61fo8BBZ321wDGZq0GTlqKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5A
+B8f2IHpTeIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyMLfzcC
+AwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBQe
+BaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAd
+BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAEC
+AjBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNB
+Q2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
+dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5jcnQwJQYIKwYB
+BQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggIBAC0RBjjW
+29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZ
+sHURKsISNrqOcooGTie3jVgU0W+0+Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco
+74fzYefbZ/VS29fR5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bj
+zw72hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250LoRCASN18J
+yfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXEDSmyj4jWG3R7Z8TED9xNN
+CxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/ieoQp0UM/L8zfP527vWjEzuDN5xwxMnhi
+vCToh7J159o5ah29mP+aJnvujbXEnGanrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp
+/cqf9ZhEtkGcQcIImH3boJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fq
+rrp1WnhHOjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
+-----END CERTIFICATE-----
--- a/manifests/cert/hash.pp
+++ b/manifests/cert/hash.pp
-# Creates the OpenSSL hash symlinks for certificates.  Factored out for ensure
-# handling and since it's used for both the main certificate and for the
-# Comodo root certificate.
+# Creates the OpenSSL hash symlinks for certificates. Factored out for
+# ensure handling and since it's used for both main certificates and
+# root certificates.

 define su_apache::cert::hash(
-  $ensure    = 'present',
-  $directory = '/etc/ssl/certs'
+  Enum['present', 'absent'] $ensure    = 'present',
+  String                    $directory = '/etc/ssl/certs',
 ) {
-  if !($ensure in [ 'present', 'absent' ]) {
-    fail("ensure must be present or absent, not $ensure")
-  }
+
  $hashcommand = "`openssl x509 -noout -hash -in ${directory}/${name}`"

  # Create the link if ensure is present.
  if ($ensure == 'present') {
    exec { "openssl hash link ${directory}/${name}":
      command => "ln -s ${directory}/${name} ${directory}/${hashcommand}.0",
+      path    => ['/usr/bin', '/usr/sbin'],
      unless  => "[ -f \"${directory}/${hashcommand}.0\" ]",
      require => $::osfamily ? {
        'Debian' => [ File["${directory}/${name}"],

--- a/manifests/cert/incommon.pp
+++ b/manifests/cert/incommon.pp
+# Install an InCommon-provided certificate.
+
+# The key is downloaded via wallet.  The certificate will be symlinked to
+# /etc/ssl/certs/server.pem and the key to /etc/ssl/private/server.key.
+
+# The root/intermediate certificate chain is installed as the bundle
+
+# Syntax:
+#
+#     su_apache::cert::comodo { "<hostname>":
+#         ensure      => present,
+#         keyname     => "ssl-key/<hostname>",
+#         owner       => "root",
+#         group       => $operatingsystem ? {
+#                            debian => "ssl-cert",
+#                            ubuntu => "ssl-cert",
+#                            redhat => "root",
+#                        },
+#         mode        => "0640",
+#         identity    => "<hostname>",
+#         symlink     => false,
+#     }
+#
+# <hostname> MUST be full-qualified.
+#
+# Only ensure need be specified; the other listed parameters are the defaults.
+# <hostname> should be the unqualified hostname.  The public certificate
+# should be stored in modules/apache/files/certs/<hostname> (defaulting to
+# <hostname>).
+
+########################################################################################
+
+# $name: This should be the FULLY qualified name. For example "example.stanford.edu". You can
+# also provide something like "example.stanford.edu-saml" for a SAML key-pair. $name implies
+# the wallet name and certificate filename:
+#
+#    wallet name -> "ssl-key/$name"
+#    cert_files  -> $name
+#
+# Example. If $name is "example.stanford.edu-saml" then the wallet name will be
+# "ssl-key/example.stanford.edu-saml" and the certificate pulled from the cert_files
+# module will be "example.stanford.edu-saml".
+#
+# $ensure: set to present to install the certificate, absent to uninstall. This parameter
+# is required and defaults to 'present'.
+#
+# $keyname: the Wallet file object name. Defaults to "ssl-key/$name"
+#
+# $owner: file owner of the private key. Defaults to "root".
+#
+# $group: group owner of the private key. Default will depend on the OS.
+#
+# $identity: If the file name in the cert_files module does NOT match $name, you can specify
+# the file name with $identity. Example:
+#
+# su_apache::cert::comodo { 'example.stanford.edu':
+#   identity => 'example2.stanford.edu',
+# }
+#
+# This will install the certificate "example.stanford.edu" but pull use the certificate file
+# "example2.stanford.edu" from the cert_files module.
+#
+# $symlink: if set to true will create a symlink from the cert and private key to the filenames
+# "server.pem" and "server.key", respectively. Defaults to false.
+
+########################################################################################
+
+define su_apache::cert::incommon(
+  Enum['present', 'absent'] $ensure   = 'present',
+  Optional[String]          $keyname  = undef,
+  String                    $owner    = 'root',
+  Optional[String]          $group    = undef,
+  String                    $mode     = '0640',
+  Optional[String]          $identity = undef,
+  Boolean                   $symlink  = false,
+) {
+
+  # Include the InCommon root/intermediate chain bundle.
+  if ($ensure == 'present') {
+    include su_apache::cert::root::incommon
+  }
+
+  # Install the private key using Wallet.
+  case $keyname {
+    undef:   { $key = "ssl-key/${name}" }
+    default: { $key = $keyname }
+  }
+
+  # Calculate the group name.
+  $group_name = $group ? {
+    undef   => $::operatingsystem ? {
+      'debian' => 'ssl-cert',
+      'ubuntu' => 'ssl-cert',
+      'redhat' => 'root',
+      'CentOS' => 'root',
+    },
+    default => $group,
+  }
+
+  base::wallet { $key:
+    ensure  => $ensure,
+    type    => 'file',
+    path    => "/etc/ssl/private/${name}.key",
+    owner   => $owner,
+    group   => $group_name,
+    mode    => $mode,
+    require => $::osfamily ? {
+      'Debian' => Package['ca-certificates'],
+      'RedHat' => $::lsbmajdistrelease ? {
+        '6'     => Package['ca-certificates'],
+        default => Package['openssl'],
+      },
+    },
+  }
+
+  # Install the public certificate.
+  file { "/etc/ssl/certs/${name}":
+    ensure  => $ensure,
+    source  => $identity ? {
+      undef   => "puppet:///modules/cert_files/${name}",
+      default => "puppet:///modules/cert_files/${identity}",
+    },
+    require => $::osfamily ? {
+      'Debian' => Package['ca-certificates'],
+      'RedHat' => $::lsbmajdistrelease ? {
+        '6'     => Package['ca-certificates'],
+        default => Package['openssl'],
+      },
+    },
+  }
+
+  # Create the OpenSSL hash links.
+  su_apache::cert::hash { "${name}.pem": ensure => $ensure }
+
+  # Install the server symlinks unless symlink is set to false.
+  if ($symlink) {
+    file { '/etc/ssl/certs/server.pem':
+      ensure  => $ensure ? {
+        present => link,
+        absent  => absent,
+        default => $ensure,
+      },
+      target  => "${name}.pem",
+      require => $::osfamily ? {
+        'Debian' => Package['ca-certificates'],
+        'RedHat' => $::lsbmajdistrelease ? {
+          '6'     => Package['ca-certificates'],
+          default => Package['openssl'],
+        },
+      },
+    }
+
+    file { '/etc/ssl/private/server.key':
+      ensure => $ensure ? {
+        present => link,
+        absent  => absent,
+        default => $ensure,
+      },
+      target => "${name}.key",
+      require => $::osfamily ? {
+        'Debian' => Package['ca-certificates'],
+        'RedHat' => $::lsbmajdistrelease ? {
+          '6'     => Package['ca-certificates'],
+          default => Package['openssl'],
+        },
+      },
+    }
+  }
+}
--- a/manifests/cert/root.pp
+++ b/manifests/cert/root.pp
+# Install a root certificate. Creates the hash symlink.
+#
+# This define assumes that both the openssl and ca-certificates
+# package Puppet resources have been defined elsewhere; if not,
+# raise a Puppet error.
+
+define su_apache::cert::root(
+  Enum['present', 'absent'] $ensure = 'present'
+) {
+
+  file { "/etc/ssl/certs/${name}.pem":
+    ensure  => $ensure,
+    source  => "puppet:///modules/su_apache/etc/ssl/certs/${name}.pem",
+    require => $::osfamily ? {
+      'Debian' => Package['ca-certificates'],
+      'RedHat' => $::lsbmajdistrelease ? {
+        '6'     => Package['ca-certificates'],
+        default => Package['openssl'],
+      },
+    },
+  }
+
+  su_apache::cert::hash { "${name}.pem": ensure => $ensure }
+}
--- a/manifests/cert/root/incommon.pp
+++ b/manifests/cert/root/incommon.pp
+# Install the required InCommon root and intermediate certificates.
+class su_apache::cert::root::incommon {
+
+  # Install all the known Comodo and InCommon intermediate certificates.
+  su_apache::cert::root {
+    [
+      'incommon-usertrust-2024',
+    ]: ensure => present;
+  }
+
+  # [Added 30-Jan-2020] Install a copy of the newest Comodo certificate
+  # bundle with the 2024 InCommon intermediate and the new 2038 UserTrust
+  # root certificate. See also
+  # https://ikiwiki.stanford.edu/service/certreq/incommon2020/
+  file { '/etc/ssl/certs/incommon2024-usertrust2038-bundle.pem':
+    source  => 'puppet:///modules/apache/etc/ssl/certs/incommon2024-usertrust2038-bundle.pem',
+    require => $::osfamily ? {
+      'Debian' => Package['ca-certificates'],
+      'RedHat' => $::lsbmajdistrelease ? {
+        '6'     => Package['ca-certificates'],
+        default => Package['openssl'],
+      },
+    },
+  }
+
+}